v1.0.0

OpenClaw Migrator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

This appears to be a legitimate OpenClaw migration tool, but it restores powerful agent state directly into the home environment and streams extraction before full archive validation, so it deserves careful review before use.

GuidanceInstall only from a source you trust, use a strong password without exposing it in command history, keep backups of existing `.openclaw` and `clawd` data, and restore first into a temporary/staging directory so you can inspect the contents before replacing your active OpenClaw environment.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

src/restore.js

splitter.on('tag', (tag) => { ... decipher.setAuthTag(tag); ... }); ... const extractor = tar.x({ cwd: targetDir, ... }); ... input.pipe(splitter).pipe(decipher).pipe(extractor);

The decrypted tar stream is extracted directly into the target directory while the GCM authentication tag is only handled at the stream tail. The artifacts do not show staging, cleanup, or path allowlisting before files are written.

User impactA corrupted or tampered archive could partially write or overwrite agent files before decryption/authentication failure is reported, especially because the default restore location is the user's home environment.

RecommendationAuthenticate/decrypt to a temporary location first, validate expected paths and manifest contents, then atomically restore with a backup and explicit user confirmation.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"dependencies": { "archiver": "^7.0.0", "tar": "^7.4.3", "fs-extra": "^11.2.0", "commander": "^12.0.0" }

The CLI depends on external npm packages with semver ranges. This is normal for a Node tool, but installs may resolve newer package versions.

User impactDependency changes or a compromised dependency could affect a tool that reads and writes sensitive agent state.

RecommendationInstall from a trusted source, review resolved dependency versions, and prefer a lockfile or pinned versions for migration of sensitive environments.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

migrator export --out my-agent.oca --password "secret"

The documented example places the archive password directly on the command line, which can expose it through shell history or local process listings.

User impactIf the migration password is exposed, the encrypted archive's protection for tokens, memory, and configuration is weakened.

RecommendationAvoid putting real passwords directly in command history; prefer an interactive prompt or other safer secret-handling method.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

This skill handles sensitive data (`openclaw.json`, `auth.token`).

The skill explicitly handles local OpenClaw credential/config material. This is expected for migration, but it is high-impact data.

User impactThe exported archive may contain API keys, tokens, or auth profiles; anyone with the archive password can potentially restore those credentials elsewhere.

RecommendationUse a strong unique password, store the `.oca` archive securely, avoid sharing it, and rotate credentials if the archive or password is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

src/index.js

.option('--source <paths...>', 'Source directories', [ path.join(process.env.HOME, '.openclaw'), path.join(process.env.HOME, 'clawd') ]) ... .option('-d, --dest <path>', 'Destination directory (defaults to HOME)', process.env.HOME)

The default workflow packages and restores persistent OpenClaw state from the user's home directory, including memory/skills per the skill description, and writes it back to the home environment.

User impactImported memory or skills can influence future agent behavior across sessions; restoring the wrong or untrusted archive could persist misleading instructions or unwanted agent state.

RecommendationRestore only archives from trusted machines, inspect or stage restored memory/skills before activating them, and keep a backup of the existing OpenClaw state.